Comment by numpad0
2 years ago
That's assuming the device runs GNU/Linux with / mounted rw. But not everything is a laptop or a desktop.
2 years ago
That's assuming the device runs GNU/Linux with / mounted rw. But not everything is a laptop or a desktop.
No, it's assuming a device running a ssh daemon with something mounted rw or user-modifiable[0] that can hold an authorized_keys file. A NetBSD embedded board that configures sshd with `AuthorizedKeysFile /sdcard/config/authorized_keys` would be fine, for instance.
[0] For example, you could let the user write their key to an SD card and then mount it ro on the device.
So what do you do when the device has no long-term storage like an SD card?
Such a device is then simply not suitable for situations where the issues with SSH password authentication become relevant.
What kind of device runs sshd but has no persistent storage?
"One time, on first use, where absolutely necessary, and changing password immediately afterwards" seems a reasonable interpretation of "approximately never".
I don't know. I come across old AP/routers where I've forgotten the login credentials and find myself hard resetting them with some regularly, one that's above "approximately never" anyway.
I'm presuming the hard reset is to a factory-assigned password.
Is that uniform across all devices, or device-specific?
Practice I've seen for some years now is to have a label on the device with admin/root password, which is presumably neither uniform across devices nor trivially-determinable from device characteristics (e.g., MAC address, sequential serial numbers, etc.).
I'd still consider that practice reasonably tolerable, though you should be keeping better tabs on assets and credentials.
It could be totally fine if you disable WiFi and connect physically. At least the first time for setup.